NEN 7510 for healthcare organisations: information security in healthcare

Compliance7 min read·
K

Kees van der Vlies

Partner | IT Auditor

Also available in:Nederlands

NEN 7510 is the Dutch standard for information security in healthcare. The standard is based on ISO 27001 but contains additional requirements that are specifically relevant for organisations that work with medical personal data.

The standard is not optional. Under the Act on Additional Provisions for the Processing of Personal Data in Healthcare, healthcare providers are required to comply with NEN 7510 when they process patient data electronically. This applies to hospitals, general practices, mental healthcare institutions, but also to IT suppliers that manage healthcare systems.

NEN 7510 covers controls in the areas of access management, physical security, personnel measures, network and communications security, and continuity management. Specific to healthcare are the requirements around medical devices, patient portals and the exchange of medical data through systems such as LSP and MedMij.

The supplementary standards NEN 7512 and NEN 7513 specify requirements for the electronic communication of patient data and the logging of access to patient records respectively. Together they form the standards framework for information security in Dutch healthcare.

A NEN 7510 audit tests whether the organisation has set up a working information security management system in accordance with the standard. The auditor evaluates policy, risk management, technical measures and awareness among employees.

Common shortcomings are insufficient logging of access to patient data, missing risk analyses, incomplete processor agreements with IT suppliers, and insufficient awareness among employees about information security risks.

Secure Audit supports healthcare organisations and their IT suppliers in setting up NEN 7510 compliance and carrying out audits. For the formal certification audit we work together with accredited certification bodies such as DigiTrust (www.digitrust.nl). Get in touch for an inventory.

About the author

K
Kees van der Vlies

Partner | IT Auditor

Back to knowledge base

Have a question?

Get in touch for advice on IT audit, compliance and information security.

Contact us